*Attendees*
Tyler Johnson, UNC
Jim Jokl, U. Virginia
Tom Barton, U Chicago
Steve Fast, UT-HSCH
Barry Ribbeck, UT-HSCH
Nadim El Khoury, UNC
Jeanette Fielden, Internet2
Steve Olshansky, Internet2
Ann West, Internet2 Educause

*Discussion*

Tyler described the eHealth initiative of the ITU, which has the goal of standardizing collaborative applications for the medical field. They want to identify a collection of existing standards to recommend clusters of functionality that can be used for medical applications and outside of the healthcare field as well. Work on identifying security mechanisms has been proposed and they are looking at existing standards around PKI for potential use.

If a secure method for videoconferencing were identified would there be sufficient interest in the medical community to convince vendors to build it? Vendors have been reluctant since they don’t perceive a product demand and have concern over which standard to develop around. If development guidelines existed vendors may be more willing to commit resources to creating new products.

Barry felt the areas of possible application need to be differentiated. Authentication is one area where certain applications may need strong authentication. Security and transmission, such as over a VPN, is another. There needs to be work from the vendor side to provide a more seamless connection rather than over the network connections. If the medical community has to build secure networks point-to-point everywhere it doesn’t scale very well. It would be better if the applications could connect application end-to-end over a secure channel.

Steve Fast believes that because of the HIPAA requirements there will be buy-in from the healthcare community for secure ways to send information over the Internet. There just needs to be products for them to buy.

Barry pointed out that PKI end user certificates are only needed in some venues. Where it is appropriate it is not too difficult to make it available as an authentication mechanism. The low hanging fruit is the end-to-end encryption so people buying the product has some assurance what they’re sending is not being listened to by everyone. Whether it is done with PKI or other technology is less important than it being done.

How are medical communities going to manage the certificates and why don’t we need end user certs in the medical environment? In some cases the information being protected may not need that level of assurance. A PKI cert is not necessarily any stronger than user id and password; it’s just less sharable. You can make it stronger with tokens etc. On a videoconference you can see whom you’re talking to. And if it’s a medical group whose certificate do you use for the authentication? For a teaching environment, such as hospital rounds, it might be a certificate that is embedded in the endpoint and is secure in terms of transmission but not strongly authenticated. There is also interest in international consulting, particularly in the teaching environment.

For the case where a private physician needs to connect to a specialist at the medical center, end-to-end user certs would be needed. The specialist may not personally know the physician. With strong vetting/credentialing the specialist has some reassurance that they are talking to a qualified legitimate person. There is the question of where the physician gets vetted and obtains a cert. It may also be complicated by the question of licensing since states license physicians and two physicians on a videoconference may not be licensed in each others state.

Barry also pointed out that charge capture is a long-term impediment as well. Currently in an informal exchange, no cost recovery is imposed. If it is being done as a service, costs need to recouped, insurance companies involved etc. The key for the moment may be to ensure the hooks are in place but not worry about implementing it.

Steve Fast indicated that they are not seeing a lot of demand at this point for patient to physician. It’s mainly facility to physician, physician to facility, or nurse at a remote location to physician.

The vendor product should work with any generic cert. How would physicians obtain the cert? Should the product generate the cert or should they obtain it elsewhere, example VeriSign? If the product generates it, it does not add trust. Buying it from VeriSign does not tell anything about identity, but is better than a self-generated cert.

In the case where there is an institutional CA, Jim would not want to see any of these devices generating certs. The should be generated from the institution’s root cert. Currently not many potential telemedicine customers have access to CA’s that are operational. Since the applications that use certs don’t exist there is no motivation to get one and not much use for those that already have a cert. If products existed they can get certs.

Getting the certs to doctor’s has to be as easy as possible. In Galveston they’re hoping to have certs on the staff badges/ smart cards by the end of the year. The adoption of smart cards as staff badges depends on the institution.

Tyler has been working with directory services that can store certs in a directory server in a standardized way. A conferencing station can be logged into with a campus ID and password. After authenticating the endpoint can download the cert. Jim pointed out that this doesn’t give the high level of authentication expected from PKI and that a USB device would provide. If the goal is to use a cert like a password it’s fine. The lack of a device weakens the non-repudiation aspect. The private key is supposed to never leave the user’s possession since it’s their signature. Similar to the fingers you write your signature with never leave your hand. A pass phrase protects the card, and after unsuccessful attempts it deactivates. The signing computation happens on the card/chip itself.

It would be ideal if the vendor’s product was standardized so any appropriate device would work in a PC environment. Currently most videoconferencing systems run Vxworks, a UNIX variant. Tyler believes that because of that, storing certs in LDAP, accessible over the network is achievable without hardware changes.

Tyler asked if PKI is the way to go? Barry believes it depends on the context. In terms of authentication, PKI has some benefit for endpoint-to-endpoint securing information over the wire. HIPAA requires that passwords not be shared but it is not a violation of HIPPA regulations about sharing passwords to let someone additional attend a videoconference, or look at a file so PKI is not necessary in all areas.

Topics for discussion in a future call: possible co-ordination of VC work with other areas of Internet2 middleware, implications/issues around how to access/use these services from home, and to what extent does CALEA (FBI wiretapping) come into play and how will it apply to VoIP.

[AI] Steve Olshansky: Will act as the lead for a scenario in the medical middleware space with the videoconferencing as a variant and solicit on the list for interested participants.

Barry mentioned that the military is moving towards digital dog tags that store medical information. On the civilian side it can be very complex. If you have a chronic medical condition you may have to deal with a lot of information every time you move/ travel. And what happens if all your records are stored on a tag and it’s lost, or you’re unconscious and it’s password protected etc?